CVE-2024-4990 Overview
CVE-2024-4990 is an Object Injection vulnerability in the Yii Framework version 2.0.48. The base Component class contains a critical flaw where the __set() magic method does not validate that the value passed is a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, passing parameters to their constructors and invoking setter methods. Depending on the installed dependencies, various types of attacks are possible, including the execution of arbitrary code, retrieval of sensitive information, and unauthorized access.
Critical Impact
Attackers can exploit improper class name validation in the __set() magic method to instantiate arbitrary classes, potentially leading to remote code execution, data exfiltration, or complete system compromise depending on available dependencies.
Affected Products
- Yiiframework Yii version 2.0.48
Discovery Timeline
- 2025-03-20 - CVE-2024-4990 published to NVD
- 2025-04-01 - Last updated in NVD database
Technical Details for CVE-2024-4990
Vulnerability Analysis
This vulnerability falls under CWE-470: Use of Externally-Controlled Input to Select Classes or Code, commonly known as Unsafe Reflection. The Yii Framework's base Component class implements PHP magic methods to provide dynamic property access and behavior attachment. The __set() magic method is designed to allow behaviors to be attached to components dynamically, but it fails to properly validate that the provided class name or configuration represents a legitimate Behavior class.
When an attacker can control the input to this method, they can specify arbitrary class names that will be instantiated by the framework. The instantiation process passes attacker-controlled parameters to the class constructor and may invoke setter methods, creating a powerful primitive for exploitation.
Root Cause
The root cause lies in insufficient input validation within the __set() magic method of the Yii Framework's base Component class. The method accepts class names or configurations without verifying that they correspond to valid Behavior classes. This trust in user-supplied data violates the principle of least privilege and creates an opportunity for unsafe object instantiation.
In PHP applications, this pattern is particularly dangerous because the framework will locate and instantiate any autoloadable class, not just those intended for use as behaviors. The combination of arbitrary class instantiation with constructor and setter invocation creates multiple avenues for exploitation.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker who can influence the values processed by the vulnerable __set() method can exploit this vulnerability remotely.
The exploitation process involves:
- Identifying an application endpoint where user input flows to the Component's __set() method
- Crafting a malicious payload specifying an exploitable class name and parameters
- Leveraging the instantiated object's constructor or setter methods to achieve the desired impact
The actual impact depends heavily on the application's dependencies and the classes available in the autoload path. Applications with libraries that have dangerous constructors or magic methods (such as those performing file operations, database queries, or command execution) are at higher risk.
For detailed technical information about this vulnerability, see the Huntr Bug Bounty Report.
Detection Methods for CVE-2024-4990
Indicators of Compromise
- Unusual HTTP requests containing serialized PHP objects or class name references targeting Yii Framework applications
- Application logs showing instantiation of unexpected classes or behaviors
- Error messages related to class not found exceptions for non-standard class names
- Unexpected outbound network connections or file system access from web application processes
Detection Strategies
- Monitor web application logs for requests containing suspicious class name patterns or PHP serialization artifacts
- Implement runtime application self-protection (RASP) to detect and block arbitrary class instantiation attempts
- Deploy Web Application Firewall (WAF) rules to filter requests containing potential object injection payloads
- Use static analysis tools to identify code paths where user input reaches the Component's __set() method
Monitoring Recommendations
- Enable verbose logging for Yii Framework applications to capture behavior attachment events
- Configure alerting for PHP fatal errors or exceptions related to class instantiation failures
- Monitor server resource utilization for anomalies that may indicate exploitation attempts
- Review application dependency lists for classes known to have dangerous constructors or magic methods
How to Mitigate CVE-2024-4990
Immediate Actions Required
- Audit your Yii Framework applications to identify if version 2.0.48 is in use
- Review code paths where user input may influence behavior attachment or component property setting
- Implement input validation at the application level to restrict class names to an allowlist
- Consider temporarily disabling dynamic behavior attachment if not required by your application
Patch Information
Organizations should monitor the Yii Framework official repository and security channels for patch releases addressing this vulnerability. The vulnerability was reported through the Huntr Bug Bounty platform, and users should check for security advisories from Yiiframework.
Until a patch is available, apply the recommended workarounds and implement defense-in-depth measures.
Workarounds
- Implement a custom Component class that overrides __set() with proper class validation against an allowlist
- Use input sanitization and validation at all application entry points to prevent malicious class names from reaching the vulnerable code
- Restrict the classes available in the autoload path by auditing and removing unnecessary dependencies
- Deploy network-level controls to limit the attack surface of affected applications
# Example: Identify affected Yii version in composer.lock
grep -A 5 '"name": "yiisoft/yii2"' composer.lock | grep '"version"'
# Check for version 2.0.48
# If affected, consider constraining to a patched version when available
composer require "yiisoft/yii2:>2.0.48" --update-with-dependencies
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
